[Samba] Rights issue on GPO

lingpanda101 at gmail.com lingpanda101 at gmail.com
Tue Jun 21 14:48:21 UTC 2016

On 6/21/2016 7:09 AM, lists wrote:
> Hi Achim,
>> Looks like on DC4 3000300 is mapped to an computer account for 
>> "proxmox".
>> On DC2/DC32 3000009 should map to S-1-5-18 (Local System) and 3000300
>> S-1-5-11 (Autheticated Users).
>> These are both Security groups which do not resolv via winbindd so they
>> can not be mapped. (you may add manual mapping via the --groupmap on
>> your rsync commandline).
>> I assume you can delete the mapping for 3000300 on dc4 and change the
>> mapping for  S-1-5-11 to 3000300 (and S-1-5-18 to 3000009 if that id is
>> not used by something else) in idmap.ldb on DC4. After an cache flush
>> sync things should work again.
> I took a backup of the dc4 kvm, and followed the procedure on the wiki 
> to copy the idmap.ldb from DC2 to DC4. (a bit more drastical, but it 
> seems to have worked out also)
> Then YOUR sysvol sync method, over ssh, and now the permissions look 
> good on DC4.
> Thanks!
> MJ

I found my issue. On one of my DC's I had misspelled 'idmap_ldb:use 
rfc2307 = Yes'. I had it 'idmap_lbd:'. Ran 'net cache flush' and wbinfo 
gave correct mappings. I find it odd that 'samba-tool testparm' never 
threw any errors.


More information about the samba mailing list